nanog mailing list archives
Re: Microsoft and Teredo
From: Nathan Ward <nanog () daork net>
Date: Fri, 1 Jun 2007 00:09:49 +1200
On 31/05/2007, at 11:41 PM, Adrian Chadd wrote:
On Thu, May 31, 2007, Sean Siler wrote:Nathan,While these are really good questions, I'm afraid I don't have really good answers to them yet. We haven't made the bits available for customers to install their own Teredo Servers/Relays at this point, and because we haven't, we also don't have good deployment guidance to go along with that.I have my own feelings, but let me ask this: what do you all feel about installing a Teredo server in order to provide v6 connectivity to your clients? Is this something that you are really interested in?I'd prefer to throw IPv6 network ranges at customer links, so they can have"other" devices on IPv6. IPv6 isn't just for desktops.
Medium+ term, of course. I don't see Teredo as something that will be my primary way of getting IPv6 to end users forever. (I don't think anyone does.)
How's Teredo servers tie into network security? Does the act of tunnelingfrom v4 to a v6 broker bypass firewalls, IDSes, etc?
In perfect time, this was published yesterday, to answer that very question: http://www.ietf.org/internet-drafts/draft-hoagland-v6ops- teredosecconcerns-00.txt
See also some comments from MS:http://www.microsoft.com/technet/community/columns/cableguy/ cg1005.mspx#ERH
In short, yes. If you're concerned about hosts at your site getting to the world using Teredo, you can simply block 3544/UDP to prevent hosts bootstrapping - I'm not sure if already-bootstrapped hosts would continue to function, I'm guessing that they would. Alternatively, disabling Teredo with registry settings works fine, but obviously requires more than just control of a wire.
IDSs+firewalls probably need to become Teredo aware pretty quickly, along with anything that needs to do deep-packet inspection (P2P rate limiting boxes, for example). I'm not aware of any of these vendors supporting this, but then again, I haven't looked hard.
-- Nathan Ward
Current thread:
- Microsoft and Teredo Sean Siler (May 30)
- Re: Microsoft and Teredo matthew zeier (May 30)
- Re: Microsoft and Teredo Nathan Ward (May 30)
- Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 30)
- Re: Microsoft and Teredo Nathan Ward (May 30)
- Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 30)
- Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 30)
- RE: Microsoft and Teredo Sean Siler (May 31)
- Re: Microsoft and Teredo Adrian Chadd (May 31)
- Re: Microsoft and Teredo Nathan Ward (May 31)
- RE: Microsoft and Teredo michael.dillon (May 31)
- Re: Microsoft and Teredo Nathan Ward (May 31)
- RE: Microsoft and Teredo Sean Siler (May 31)
- Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 31)
- Re: Microsoft and Teredo Adrian Chadd (May 31)
- Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 31)
- Re: Microsoft and Teredo Stephen Sprunk (May 31)
- Re: Microsoft and Teredo Nathan Ward (May 31)
- Re: Microsoft and Teredo JORDI PALET MARTINEZ (May 31)